VYPR

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

BaseStableLikelihood: High

Description

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-108 · CAPEC-109 · CAPEC-110 · CAPEC-470 · CAPEC-66 · CAPEC-7

CVEs mapped to this weakness (10,236)

page 39 of 512
  • CVE-2018-11369CriMay 22, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in PbootCMS v1.0.9. There is a SQL Injection that can get important information from the database via the \apps\home\controller\ParserController.php scode parameter.

  • CVE-2018-10759CriMay 16, 2018
    risk 0.64cvss 9.8epss 0.02

    PHP remote file inclusion vulnerability in public/patch/patch.php in Project Pier 0.8.8 and earlier allows remote attackers to execute arbitrary commands or SQL statements via the id parameter.

  • CVE-2018-11032CriMay 14, 2018
    risk 0.64cvss 9.8epss 0.01

    PHPRAP 1.0.4 through 1.0.8 has SQL Injection via the application/home/controller/project.php search() function.

  • CVE-2018-8824CriMay 10, 2018
    risk 0.64cvss 9.8epss 0.01

    modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute a SQL Injection through function calls in the code parameter.

  • CVE-2017-17902CriApr 22, 2018
    risk 0.64cvss 9.8epss 0.01

    SQL Injection exists in Kliqqi CMS 3.5.2 via the randkey parameter of a new story at the pligg/story.php?title= URI.

  • CVE-2018-10284CriApr 21, 2018
    risk 0.64cvss 9.8epss 0.01

    Adaltech G-Ticket v70 EME104 has SQL Injection via the mobile-loja/mensagem.asp eve_cod parameter.

  • CVE-2018-10283CriApr 21, 2018
    risk 0.64cvss 9.8epss 0.01

    CliqueMania loja virtual 14 has SQL Injection via the patch/remote.php id parameter in a recomendar action.

  • CVE-2018-1290CriApr 20, 2018
    risk 0.64cvss 9.8epss 0.03

    In Apache Fineract versions 1.0.0, 0.6.0-incubating, 0.5.0-incubating, 0.4.0-incubating, Using a single quotation escape with two continuous SQL parameters can cause a SQL injection. This could be done in Methods like retrieveAuditEntries of AuditsApiResource Class and…

  • CVE-2018-10225CriApr 19, 2018
    risk 0.64cvss 9.8epss 0.01

    thinkphp 3.1.3 has SQL Injection via the index.php s parameter.

  • CVE-2018-9924CriApr 10, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in idreamsoft iCMS through 7.0.7. SQL injection exists via the pid array parameter in an admincp.php?app=tag&do=save&frame=iPHP request.

  • CVE-2018-9309CriApr 5, 2018
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in a dl/dl_sendsms.php request.

  • CVE-2018-9247CriApr 4, 2018
    risk 0.64cvss 9.8epss 0.02

    The upsql function in \Lib\Lib\Action\Admin\DataAction.class.php in Gxlcms QY v1.0.0713 allows remote attackers to execute arbitrary SQL statements via the sql parameter. Consequently, an attacker can execute arbitrary PHP code by placing it after a <?php substring, and then…

  • CVE-2014-4959CriMar 27, 2018
    risk 0.64cvss 9.8epss 0.02

    **DISPUTED** SQL injection vulnerability in SQLiteDatabase.java in the SQLi Api in Android allows remote attackers to execute arbitrary SQL commands via the delete method.

  • CVE-2018-8967CriMar 24, 2018
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in zzcms 8.2. It allows SQL injection via the id parameter in an adv2.php?action=modify request.

  • CVE-2018-8943CriMar 22, 2018
    risk 0.64cvss 9.8epss 0.01

    There is a SQL injection in the PHPSHE 1.6 userbank parameter.

  • CVE-2018-7269CriMar 21, 2018
    risk 0.64cvss 9.8epss 0.01

    The findByCondition function in framework/db/ActiveRecord.php in Yii 2.x before 2.0.15 allows remote attackers to conduct SQL injection attacks via a findOne() or findAll() call, unless a developer recognizes an undocumented need to sanitize array input.

  • CVE-2014-2652CriMar 19, 2018
    risk 0.64cvss 9.8epss 0.01

    SQL injection vulnerability in OpenScape Deployment Service (DLS) before 6.x and 7.x before R1.11.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

  • CVE-2018-7033CriMar 15, 2018
    risk 0.64cvss 9.8epss 0.02

    SchedMD Slurm before 17.02.10 and 17.11.x before 17.11.5 allows SQL Injection attacks against SlurmDBD.

  • CVE-2018-1000131CriMar 14, 2018
    risk 0.64cvss 9.8epss 0.02

    Pradeep Makone wordpress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in cookie was injected that can result in filter the parameter. This attack appear to be…

  • CVE-2018-7732CriMar 6, 2018
    risk 0.64cvss 9.8epss 0.01

    An issue was discovered in YxtCMF 3.1. SQL Injection exists in ShitiController.class.php via the ids array parameter to exam/shiti/delshiti.html.